From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182])
 by mx.groups.io with SMTP id smtpd.web10.2206.1622684334067544839
 for <devel@edk2.groups.io>;
 Wed, 02 Jun 2021 18:38:54 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="body hash did not verify" header.i=@linux.microsoft.com header.s=default header.b=gmuigCF3;
 spf=pass (domain: linux.microsoft.com, ip: 13.77.154.182, mailfrom: mikuback@linux.microsoft.com)
Received: from localhost.localdomain (unknown [167.220.2.74])
	by linux.microsoft.com (Postfix) with ESMTPSA id 9DE5820B7178;
	Wed,  2 Jun 2021 18:38:53 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 9DE5820B7178
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com;
	s=default; t=1622684333;
	bh=PjFzeAsbIGqjltRq5XnxbQnQhOzFnnKeFBoIlXzNCjI=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=gmuigCF37USNyWHPnD+n+QL+LxW2+ip7POVA4jvZ6JdGaTm99+xn9ieyARO0iWZfo
	 a4eMoq6Z2D5XLJSl3qr8ab7mFOkQfpx2E1wA1VH96ixbn98fVzu+pgtk+Y9w1rUSWx
	 Vv4f7mjbkq7oQwIBY9/8vDXNwbl58kBVijFiJKRE=
From: "Michael Kubacki" <mikuback@linux.microsoft.com>
To: devel@edk2.groups.io
Cc: Michael Kubacki <michael.kubacki@microsoft.com>,
	Chasel Chiu <chasel.chiu@intel.com>,
	Nate DeSimone <nathaniel.l.desimone@intel.com>,
	Liming Gao <gaoliming@byosoft.com.cn>,
	Eric Dong <eric.dong@intel.com>
Subject: [edk2-platforms][PATCH v1 2/2] MinPlatformPkg/TpmPlatformHierarchyLib: Disable TPM platform hierarchy
Date: Wed,  2 Jun 2021 18:38:18 -0700
Message-Id: <20210603013818.1248-3-mikuback@linux.microsoft.com>
X-Mailer: git-send-email 2.28.0.windows.1
In-Reply-To: <20210603013818.1248-1-mikuback@linux.microsoft.com>
References: <20210603013818.1248-1-mikuback@linux.microsoft.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

From: Jeremiah Cox <jerecox@microsoft.com>

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D3411

Updates the current ConfigureTpmPlatformHierarchy() implementation
to instruct the TPM to disable the platform hierarchy to prevent
later boot/OS code from accessing TPM platform features. This
modifies the current behavior which instead randomizes the platform
auth and then "forgets" it to prevent future platform feature access.

Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Eric Dong <eric.dong@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
---
 Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPla=
tformHierarchyLib.c | 51 ++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarc=
hyLib/TpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/Tcg/Libra=
ry/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c
index 41ddb26f4046..bc1dce9b1c51 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/T=
pmPlatformHierarchyLib.c
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/T=
pmPlatformHierarchyLib.c
@@ -18,6 +18,7 @@
 #include <Library/BaseMemoryLib.h>
 #include <Library/UefiBootServicesTableLib.h>
 #include <Library/MemoryAllocationLib.h>
+#include <Library/Tpm2DeviceLib.h>
 #include <Library/Tpm2CommandLib.h>
 #include <Library/RngLib.h>
 #include <Library/UefiLib.h>
@@ -197,6 +198,51 @@ RandomizePlatformAuth (
   ZeroMem (Rand, RandSize);
 }
=20
+/**
+  Disable the TPM platform hierarchy.
+
+  @retval   EFI_SUCCESS       The TPM was disabled successfully.
+  @retval   Others            An error occurred attempting to disable th=
e TPM platform hierarchy.
+
+**/
+EFI_STATUS
+DisableTpmPlatformHierarchy (
+  VOID
+  )
+{
+  EFI_STATUS  Status;
+
+  // Make sure that we have use of the TPM.
+  Status =3D Tpm2RequestUseTpm ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEf=
iCallerBaseName, __FUNCTION__, Status));
+    ASSERT_EFI_ERROR (Status);
+    return Status;
+  }
+
+  // Let's do what we can to shut down the hierarchies.
+
+  // Disable the PH NV.
+  // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but =
TPM parts have
+  //                 been known to store the EK cert in the PH NV. If we=
 disable it, the
+  //                 EK cert will be unreadable.
+
+  // Disable the PH.
+  Status =3D  Tpm2HierarchyControl (
+              TPM_RH_PLATFORM,     // AuthHandle
+              NULL,                // AuthSession
+              TPM_RH_PLATFORM,     // Hierarchy
+              NO                   // State
+              );
+  DEBUG ((DEBUG_VERBOSE, "%a:%a() -  Disable PH =3D %r\n", gEfiCallerBas=
eName, __FUNCTION__, Status));
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a:%a() -  Disable PH Failed! %r\n", gEfiCalle=
rBaseName, __FUNCTION__, Status));
+    ASSERT_EFI_ERROR (Status);
+  }
+
+  return Status;
+}
+
 /**
    This service defines the configuration of the Platform Hierarchy Auth=
orization Value (platformAuth)
    and Platform Hierarchy Authorization Policy (platformPolicy)
@@ -211,4 +257,9 @@ ConfigureTpmPlatformHierarchy (
   // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAu=
th being null
   //
   RandomizePlatformAuth ();
+
+  //
+  // Disable the hierarchy entirely (do not randomize it)
+  //
+  DisableTpmPlatformHierarchy ();
 }
--=20
2.28.0.windows.1